[Samba] DNS question
L.P.H. van Belle
belle at bazuin.nl
Thu Sep 5 10:14:19 UTC 2019
This does not look bad, pretty ok.
But im do have a question here.
> ipaddress: 10.103.1.6 X.X.103.1
This indicated that the primary interface is eno2
> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> inet X.X.103.1/22 brd X.X.103.255 scope global eno1
Since im not seeing the routing table that could be a point of improvement.
Check the default with : route |grep default
Hostfile only has
> X.X.103.1 dc1.xxx.yyy.zzz dc1
Kerberos points to : X.X.103.1
Smb.conf point to eno1 ( X.X.103.1 )
> interfaces = lo eno1
That the first what is see.
To that is the ptr record set of dc1 ? Ip off eno1 or eno2?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Christian [mailto:chanlists at googlemail.com]
> Verzonden: donderdag 5 september 2019 11:43
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS question
>
> OK... Voilà... Thanks,
>
> Christian
>
> Collected config --- 2019-09-05-11:33 -----------
>
> Hostname: dc1
> DNS Domain: xxx.yyy.zzz
> FQDN: dc1.xxx.yyy.zzz
> ipaddress: 10.103.1.6 X.X.103.1
>
> -----------
>
> Kerberos SRV _kerberos._tcp.xxx.yyy.zzz record verified ok,
> sample output:
> Server: X.X.103.1
> Address: X.X.103.1#53
>
> _kerberos._tcp.xxx.yyy.zzz service = 0 100 88 dc1.xxx.yyy.zzz.
> _kerberos._tcp.xxx.yyy.zzz service = 0 100 88 dc2.xxx.yyy.zzz.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
> NAME="Debian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 9.9 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> group default qlen 1000
> link/ether 4c:ed:fb:91:aa:41 brd ff:ff:ff:ff:ff:ff
> inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
> inet6 fe80::4eed:fbff:fe91:aa41/64 scope link
> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> group default qlen 1000
> link/ether 4c:ed:fb:91:aa:42 brd ff:ff:ff:ff:ff:ff
> inet X.X.103.1/22 brd X.X.103.255 scope global eno1
> inet6 fe80::4eed:fbff:fe91:aa42/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> X.X.103.1 dc1.xxx.yyy.zzz dc1
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> nameserver X.X.103.1
> search xxx.yyy.zzz
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = YYY.XXX.ZZZ
> dns_lookup_kdc = true
> dns_lookup_realm = false
> forwardable = true
> proxiable = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> ccache_type = 4
>
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat
> group: compat
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> bind interfaces only = Yes
> interfaces = lo eno1
> netbios name = DC1
> realm = YYY.XXX.ZZZ
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = XXX
> idmap_ldb:use rfc2307 = yes
> winbind expand groups = 2
> wins support = yes
> ntlm auth = yes
> allow dns updates = disabled
> kdc:service ticket lifetime = 24
> kdc:user ticket lifetime = 24
> kdc:renewal lifetime = 168
>
> [netlogon]
> path = /var/lib/samba/sysvol/xxx.yyy.zzz/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for
> information on the
> // structure of BIND configuration files in Debian, *BEFORE*
> you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the
> addresses replacing
> // the all-0's placeholder.
>
> forwarders {
> X.X.1.32;
> X.X.1.40;
> };
>
>
> //============================================================
> ============
> // If BIND logs error messages about the root key being expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
>
> //============================================================
> ============
> dnssec-validation auto;
>
> auth-nxdomain yes; # conform to RFC1035 is no
> listen-on-v6 { any; };
> empty-zones-enable no;
> // https://wiki.samba.org/index.php/Dns-backend_bind
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> // adding the dlopen ( Bind DLZ ) module for samba.
> // at install debian already sets the correct bind9.XX version in this
> file below.
> include "/var/lib/samba/bind-dns/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse
> zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list: 5 zone(s) found
>
> pszZoneName : xxx.yyy.zzz
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
>
> pszZoneName : 103.X.X.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
>
> pszZoneName : 102.X.X.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
>
> pszZoneName : 1.103.10.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
>
> pszZoneName : _msdcs.xxx.yyy.zzz
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.xxx.yyy.zzz
>
> Samba DNS zone list Automated check :
> zone : xxx.yyy.zzz ok, no Bind flat-files found
> -----------
> zone : 103.X.X.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : 102.X.X.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : 1.103.10.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : _msdcs.xxx.yyy.zzz ok, no Bind flat-files found
> -----------
>
> Installed packages:
> ii acl 2.2.52-3+b1
> amd64 Access control list utilities
> ii attr 1:2.4.47-2+b2
> amd64 Utilities for manipulating filesystem extended attributes
> ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5
> amd64 Internet Domain Name Server
> ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5
> amd64 Version of 'host' bundled with BIND 9.X
> ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5
> amd64 Utilities for BIND
> ii exim4-daemon-heavy 4.89-2+deb9u5
> amd64 Exim MTA (v4) daemon with extended features, including
> exiscan-acl
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.15-1+deb9u1
> all internationalization support for MIT Kerberos
> ii krb5-user 1.15-1+deb9u1
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.52-3+b1
> amd64 Access control list shared library
> ii libacl1-dev 2.2.52-3+b1
> amd64 Access control list static libraries and headers
> ii libattr1:amd64 1:2.4.47-2+b2
> amd64 Extended attribute shared library
> ii libattr1-dev:amd64 1:2.4.47-2+b2
> amd64 Extended attribute static libraries and headers
> ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5
> amd64 BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64 1.15-1+deb9u1
> amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u3
> amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.15-1+deb9u1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.15-1+deb9u1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64 2:4.10.5+nmu-0debian0
> amd64 Samba nameservice integration plugins
> ii libpam-winbind:amd64 2:4.10.5+nmu-0debian0
> amd64 Windows domain authentication integration plugin
> ii libsmbclient:amd64 2:4.10.5+nmu-0debian0
> amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.10.5+nmu-0debian0
> amd64 Samba winbind client library
> ii openafs-krb5 1.6.20-2+deb9u2
> amd64 AFS distributed filesystem Kerberos 5 integration
> ii python3-samba 2:4.10.5+nmu-0debian0
> amd64 Python 3 bindings for Samba
> ii samba 2:4.10.5+nmu-0debian0
> amd64 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:4.10.5+nmu-0debian0
> all common files used by both the Samba server and client
> ii samba-common-bin 2:4.10.5+nmu-0debian0
> amd64 Samba common files used by both the server and the client
> ii samba-dsdb-modules:amd64 2:4.10.5+nmu-0debian0
> amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.10.5+nmu-0debian0
> amd64 Samba core libraries
> ii samba-vfs-modules:amd64 2:4.10.5+nmu-0debian0
> amd64 Samba Virtual FileSystem plugins
> ii smbclient 2:4.10.5+nmu-0debian0
> amd64 command-line SMB/CIFS clients for Unix
> ii winbind 2:4.10.5+nmu-0debian0
> amd64 service to resolve user and group information
> from Windows
> NT servers
>
> -----------
>
> Am 05.09.2019 um 10:07 schrieb L.P.H. van Belle:
> > Hai,
> >
> > Post me for both DC the debug output of:
> >
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-info.sh
> >
> > Anynomize it where needed.
> >
> > The problem your are having is due to.. "Something it not right."
> > But what? That is not impossible to tell because we see any
> config..
> > And why? Because this setup should work fine. We know it
> should work fine.
> >
> > Greetz,
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Christian via samba
> >> Verzonden: donderdag 5 september 2019 10:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] DNS question
> >>
> >> Dear list,
> >>
> >> we use debian stretch with Louis's 4.10.5 packages and bind9_dlz
> >> backend. There are two AD DCs with redundant ISC DHCP
> servers on them.
> >> The DHCP servers are updating the DNS along the lines of
> >>
> >> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> >> records_with_BIND9
> >>
> >> but with nsupdate commands replaced by suitable calls to
> >> "samba-tool" (I
> >> had problems getting the nsupdate approach to work with
> the redundant
> >> dhcp servers on the second server). I am trying to debug
> some strange
> >> network issues right now. For example, when I ssh to the DCs,
> >> the login
> >> process sometimes stalls for extended periods of time without even
> >> asking for the username. Could DNS be part of the mix? Is using the
> >> calls to samba-tool a bad idea? Could this be related to
> the "lockup
> >> problem"?
> >>
> >> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lo
> >> ckup_Problem
> >>
> >> Would that be different if I use nsupdate vs samba-tool? Would I be
> >> better off with the internal DNS? If I switch to the
> internal DNS, are
> >> existing zones and entries transferred? Thanks for any
> >> insights and best
> >> wishes,
> >>
> >> Christian
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
>
>
More information about the samba
mailing list